Add NaCL private key to AKV - connect_cdc_sqdata - Latest

Connect CDC (SQData) Utilities

Product type
Software
Portfolio
Integrate
Product family
Connect
Product
Connect > Connect CDC (SQData)
Version
Latest
Language
English
Product name
Connect CDC (SQData)
Title
Connect CDC (SQData) Utilities
Copyright
2024
First publish date
2000
Last edition
2024-07-30
Last publish date
2024-07-30T19:47:43.164598

Microsoft's Azure Key Vault is becoming an increasingly popular resource for securing credentials particularly for Event Hub and other Azure cloud services. The “Secrets Management” feature of AKV is used for storing the NaCl private key used by Connect CDC SQData. See the official introduction to AKV at https://docs.microsoft.com/en-us/azure/key-vault/general/overview.

Once the NaCL key pair has been generated by %PREFIX%>UTIL , the contents of the private key file, id_nacl can be stored as a "secret" using either Microsoft's Azure Portal import process or the Azure CLI.

Syntax:

Using the id_nacl file content from the KeyGen, use Azure CLI in a script or at the command line to specify only the private key value from the file, excluding the "-----BEGIN NACL PRIVATE KEY-----" and "-----END NACL PRIVATE KEY-----" lines.
az keyvault secret set --vault-name "<your-unique-keyvault-name>" --name "id_nacl" --value "L68x1APsG4Bhhv+gG4CYP3IdsSUX3fNSQ030RUy0T5I="

Once the NaCL Private pair has been secured in the AKV it will be referenced as required by Connect CDC SQData components using the existing method for specifying non-default identity locations:

Syntax
--identity=azkv://<vault-name>.vault.azure.net/secrets/<secret_name>
Parameter Description
secret_name

While any name can be used for the secret, using ïd_nacl" or when several different NaCL private keys are to be stored in the AKV, a naming standard that relates to a host or application name concatenated with id_nacl may be appropriate.

Note:
  • Azure Key Vault (AKV) based secrets in Connect CDC SQData are supported only on Linux platforms.
  • AKV requires an Azure Active Directory (AAD) token to be presented to retrieve secrets. SQData retrieves AAD tokens from Azure differently when running on on-prem Linux machines and when running on Azure Linux VM.
    • When running on-prem, to retrieve AAD, tenant_id, client_id and client_secret have to be specified in the sqdata_cloud.conf file located in the working directory.
    • When running on Azure VM, AAD will retrieved from managed identity. Two types of managed identities are supported:
      • If client_id is specified in sqdata_cloud.conf file, then AAD token is retrieved from user managed identity
      • If none of tenant_id, client_id and client_secret is specified, then AAD token is retrieved from system managed identity.
  • An example sqdata_cloud.conf file:
    [azkv]
    tenant_id=f0h2842c-8394-4tcu-bb4r-e7745dc73b3b
    client_id=73495b95-9d73-4973-8318-caf355b10f54
    client_secret=~WlkC~4QsdQFLg0XyEeb0923_23MpRWsC~.